[openstack-dev] [security] [api] Script injection issue
fungi at yuggoth.org
Fri Nov 17 19:24:07 UTC 2017
On 2017-11-17 15:55:33 +0000 (+0000), Tristan Cacqueray wrote:
> We had similar issues in the past where we already draw the line
> that it is the client responsibility to filter out API response.
> Thus I agree with Jeremy, perhaps it is not ideal, but at least it
> doesn't give a false sense of security if^Wwhen the server side
> filtering let unpredicted malicious content through.
To be clear, I don't object to making whatever developers and API
SIG members feel are sane filtering choices service-side, it's just
that I think the VMT will consider those security hardening patches
and not vulnerability fixes. If Horizon or any other consuming
application fails to properly sanitize data before performing
potentially unsafe actions with it, that's a vulnerability and would
generally warrant an official security advisory.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 949 bytes
Desc: Digital signature
More information about the OpenStack-dev